SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #19

March 10, 2009

Interesting (and troubling) disclosures at a meeting this morning of DHS, DoD, NIST and other US government and industry security leaders. First NIST said that it was working closely with the DoD and the Intelligence Community (IC) that will make the NIST 800-53 guidance, now mandatory for civilian federal agencies, also mandatory for use by the IC and DoD. Then one of the nation's top government defenders reported that neither of the two main attack vectors, the two that account for the vast majority of successful exploits against US civilian government computers, is adequately addressed in NIST's 800-53 guidance (the words used were "you would be hard pressed to find [the needed controls]" in the guidance.) If the second disclosure is true, and it appears that it is because no one at the meeting refuted it, then the decision to apply 800-53 to our most critical national government computers needs to be reconsidered.

New free resource: Application security papers in the SANS Reading Room. The first paper: "Protecting Your Web Apps: Two Big Mistakes and 12 Practical Steps to Avoid Them"
http://www.sans.org/reading_room/application_security/
Alan

---

TOP OF THE NEWS

Australian Police Could be Granted Remote Computer Investigation Privileges
California Legislation Would Require Specific Information in Data Breach Notifications
Verizon Offers Customers Chance to Opt Out of Data Sharing Arrangement

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES
UK ICO Will Prosecute Company That Sold Building Worker Data
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Lost Memory Stick Holds Police Investigation Data
DHS Cyber Security Director Beckstrom Resigns
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Swedish Police Seize Server in Illegal Filesharing Bust
VULNERABILITIES
Unpatched Adobe Flaw Can be Exploited Without JavaScript
Google Fixes Google Docs Unintentional File Sharing Flaw
UPDATES AND PATCHES
Next Generation of Windows Will Allow Users to Turn off Certain Programs
DATA BREACHES, LOSS & EXPOSURE
Bottle Domains Data Breach Exposes 60,000 Payment Cards
ACTIVE EXPLOITS, WORMS & VIRUSES
Worm Infects Scottish Hospital Computers
Conficker Update Includes Vast Expansion of Phone Home Domains

---

********************** Sponsored By PureWire ****************************

Learn how hackers are exploiting your employees' Web surfing to gain entry into your network. New technologies such as AJAX and Silverlight are fueling attack methods such as; Clickjacking, XSS and Request Forgery. Recent research shows that 70% of Web sites serving malware are actually legitimate sites. Download this white paper now! http://www.sans.org/info/40063

*************************************************************************

TRAINING UPDATE

- - Phoenix 3/23-3/30 (5 courses) http://www.sans.org/phoenix09/
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Plus Calgary, New Orleans, San Diego and more...
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Australian Police Could be Granted Remote Computer Investigation Privileges (March 9, 2009)

Proposed legislation in the Australian state of New South Wales would give police the authority to remotely break into certain crime suspects' computers to conduct investigations. Those targeted by the investigation could be prevented from learning of the investigation for up to three years. The permission would be given only in cases in which the alleged crime is punishable by seven or more years in prison.
-http://news.cnet.com/8301-1009_3-10191514-83.html?tag=mncol;title
-http://www.zdnet.com.au/news/security/soa/NSW-Police-to-get-hacking-powers/0,130
061744,339295354,00.htm]

[Editor's Note (Northcutt): This is a bad idea: police hackers. ]

California Legislation Would Require Specific Information in Data Breach Notifications (March 6, 2009)

California State Senator Joe Simitian has introduced legislation that would require organizations that experience data security breaches to provide a specific set of information in their disclosure letters. Presently, California law requires organizations to notify affected individuals if their personal data have been compromised in a security breach, but the letters often leave the recipients with more questions than answers. The bill would also require that state authorities be notified at the same time as affected residents.
-http://news.cnet.com/8301-1009_3-10190978-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://blog.wired.com/27bstroke6/2009/03/ca-looks-to-exp.html
-http://info.sen.ca.gov/pub/09-10/bill/sen/sb_0001-0050/sb_20_bill_20081201_intro
duced.html
[Editor's Note (Schultz): Sound legal statutes evolve over time, as shown by this follow-up legislation for California SB-1386. When this statute was originally passed in 2002, it had numerous loopholes that were closed by subsequent legislation. If this new legislation passes, it will once again make California a leader in the data security breach notification area.
(Ranum): As long as the burden of clean-up remains on the consumer, the risk equation is still not balanced. As long as it's not balanced we'll continue to see hemorrhaging personal information. ]

Verizon Offers Customers Chance to Opt Out of Data Sharing Arrangement (March 8, 2009)

Verizon is reportedly sending letters to its customers, allowing them the opportunity to opt out of an arrangement to share their personal data with the company's "affiliates, agents, and parent companies." The data covered by the agreement would include, but are not limited to: "services purchases (including specific calls you make and receive), billing info, technical info and location info." Customers who receive their Verizon statements online will not receive the letter; instead, they may access their accounts and view their messages to get the information.
-http://yro.slashdot.org/article.pl?sid=09/03/08/196242
[Editor's Note )Pescatore): It is really time these sort of things started coming out saying "Company X is sending letters to its customers, informing them that no personal data will be shared unless the customer opts in."]

---

************************** SPONSORED LINKS ******************************

1) Join professionals to learn about Log Management tools at the Log Management Summit April 6-7. http://www.sans.org/info/40068

2) What are the ten technical tips most penetration tester don't know but should. Penetration Testing and Ethical Hacking Summit June 1-2. http://www.sans.org/info/40073

3) Brady Bunch Boondoggle - Hacking Challenge
SANS wireless master Josh Wright created an awesome new edition to the Skillz H@ck1ng Challenges hosted by Ed Skoudis. Help Peter and the gang plant a rogue AP in their Dad's architectural office at Phillips Design to help him get a raise, so they can stay in the house. Is your Fu good enough or will you too get a lecture on life by Mike Brady? All entries are due by March 16, 2009. http://www.ethicalhacker.net/content/view/234/2/

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES

UK ICO Will Prosecute Company That Sold Building Worker Data (March 2009)

The UK Information Commissioner's Office (ICO) plans to prosecute a company under the Data Protection Act for allegedly selling details from a clandestine database of building workers' information. The company, called the Consulting Association, allegedly provided information to subscribing building companies that sent in lists of prospective employees and received information about them, including their personal relationships, whether they were deemed a safety risk or had union ties. The information in the database was gathered and retained without the workers' consent. Some building companies are adamant that they do not condone the practice of blacklisting. An investigation determined that the Consulting Association had compiled a database with information about 3,213 building workers.
-http://news.bbc.co.uk/2/hi/uk_news/7928807.stm
[Editor's Note (Honan): Companies collecting personally identifiable data about individuals within the UK are legally obliged to ensure they do so in line with the eight principles of the Data Protection Act. In this case it appears the relevant principles are the information must be "Fairly and lawfully processed", "Adequate, relevant and not excessive" and "Processed in line with your rights". ]

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Lost Memory Stick Holds Police Investigation Data (March 9, 2009)

A memory stick containing unencrypted details about hundreds of Scottish police investigations is missing. The device was lost at the end of last year at Lothian and Borders Police headquarters. The memory stick was believed to have been being moved within a secure area when it was lost, but the incident serves to demonstrate the need to encrypt sensitive data at all times.
-http://www.scmagazineuk.com/Unencrypted-police-memory-stick-lost/article/128429/
[Editor's Note (Ranum): When are enterprises going to learn? The way to prevent this kind of thing from happening is to NOT make it possible. Let people copy critical data around, and critical data will leak; it's that simple. Encryption is not a panacea, because of the prevalence of keylogging trojans and the fact that people will have to have the data unencrypted, at some point, in order to use it. The answer to data leakage is data control. There is no "plan B".
(Pelgrin): One should consider encrypting all mobile devices. In this digital era it leaves to much to human error to decide whether sensitive or confidential data is or has ever been on the mobile device. Surveys have shown that end users don't always know what is stored on these devices. We need to make it easy to protect our data -- therefore encryption all mobile device leaves the guess work out of the equation.]

DHS Cyber Security Director Beckstrom Resigns (March 6, 7 & 8, 2009)

The US Department of Homeland Security's (DHS) National Cyber Security Center director Rod Beckstrom has resigned his position effective Friday, March 13. Beckstrom is quoted as saying in a letter to DHS Secretary Janet Napolitano that allowing the National Security Agency (NSA) to control national cyber security efforts is "a bad strategy on multiple grounds." Beckstrom also said that his organization was insufficiently supported by the previous administration.
-http://lastwatchdog.com/cybersecurity-official-resigns-smothering-nsa/
-http://www.scmagazineus.com/DHS-National-Cybersecurity-Center-director-resigns/a
rticle/128396/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9129218&source=rss_topic17
-http://fcw.com/Articles/2009/03/06/DHS-cybersecurity-chief-resigns.aspx
-http://blog.wired.com/defense/2009/03/breaking-cyber.html
-http://www.securityfocus.com/brief/922
-http://www.msnbc.msn.com/id/29557432/

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Swedish Police Seize Server in Illegal Filesharing Bust (March 6 & 7, 2009)

Police in Brandbergen, Sweden, near Stockholm, raided an apartment and seized a server containing 65 terabytes of allegedly pirated files. The raid was part of an effort to crack down on illegal filesharing. Sixty-five terabytes translates to approximately 16,000 full-length films. The raid was conducted on February 9 but made public only last week. The equipment's alleged owner has been questioned and released, but remains the subject of an investigation.
-http://www.msnbc.msn.com/id/29566891/
-http://news.cnet.com/8301-1023_3-10190977-93.html?part=rss&subj=news&tag
=2547-1009_3-0-20

VULNERABILITIES

Unpatched Adobe Flaw Can be Exploited Without JavaScript (March 6, 2009)

A promised patch for a flaw in Adobe Reader and Acrobat is being even more eagerly anticipated following the revelation that the flaw it will fix is more serious than first believed. Adobe has been aware of the problem since January and said it would have a patch to fix it on March 11. Adobe publicly acknowledged the vulnerability several weeks ago and recommended that users disable JavaScript in Acrobat and Reader until the patch is issued. The vulnerability has been deemed critical and reports emerged that it had been being exploited in the wild since early this year. Researchers now say they have developed exploits for the flaw that do not rely on JavaScript for their execution. This story was broken by the Internet Storm Center at
-http://isc.sans.org/diary.html?storyid=5902
but pulled the story until it was reported elsewhere so as not to exacerbate the risk. The follow-up story is posted at
-http://isc.sans.org/diary.html?storyid=5926
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9129163&source=rss_topic17
[Editor's Note (Honan): Some people have recommended that users move to other PDF readers but appears this vulnerability may impact those readers as well. ]

Google Fixes Google Docs Unintentional File Sharing Flaw (March 9, 2009)

Google has fixed a security flaw in its Google Docs document sharing program that could allow files to be shared inadvertently. Google said the vulnerability affected only a small percentage of documents. To address the problem, Google removed sharing privileges from documents affected by the flaw; users have been provided with instructions on how to share those documents again if they wish. According to Google, the flaw does not affect spreadsheets.
-http://www.theregister.co.uk/2009/03/09/google_docs_serious_security_breach/
-http://www.eweek.com/c/a/Security/Google-Fixes-Document-Sharing-Privacy-Issue/
-http://www.informationweek.com/news/services/storage/showArticle.jhtml?articleID
=215801317&subSection=News
-http://googledocs.blogspot.com/2009/03/on-yesterdays-email.html

UPDATES AND PATCHES

Next Generation of Windows Will Allow Users to Turn off Certain Programs (March 6 & 9, 2009)

Microsoft's new operating system, Windows 7, will have modular features, allowing users to turn off various applications, including Internet Explorer (IE). The change will be a boon to competition; Microsoft has dealt with claims of anti-trust violations in the past. A 2004 European ruling required Microsoft to disclose proprietary information about its software with competitors; it was also fined 497 million Euros (US $627.9 million) and required to unbundle certain products from standard Windows installations. Windows 7 is expected to be released commercially in 2010.
-http://news.bbc.co.uk/2/hi/technology/7932149.stm
-http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?a
rticleID=215801222&subSection=News
-http://blogs.zdnet.com/gadgetreviews/?p=1927
-http://www.msnbc.msn.com/id/29596703/
[Editor's Note (Guest editor Frantzen): The EU ruling did not require MS to unbundle certain products from standard Windows installations. It required MSFT to make available alternate versions that did not contain the bundled products. They were allowed to continue to offer the bundled versions.
(Pescatore): In general, this should be a security positive. Right now, the 30% of the users who aren't using IE often have it pop-up unexpectedly and they end up having multiple browsers running and paths to malicious ActiveX controls that they didn't realized were open.]

DATA BREACHES, LOSS & EXPOSURE

Bottle Domains Data Breach Exposes 60,000 Payment Cards (March 6, 2009)

As many as 60,000 credit cards may be at risk for fraud due to a data security breach at Australian domain name registrar Bottle Domains. National Australia Bank (NAB) and Commonwealth bank both acknowledged receiving lists of potentially compromised payment cards; NAB said that an undisclosed number of cards on the list has been used in fraudulent transactions. Bottle Domains has not yet notified its customers of the breach, although Australian domain name industry regulator au Domain Administration Ltd. has informed all Bottle Domains customers of the breach by email. The breach came to light when the stolen information was offered for sale on the Internet earlier this year; one man has been arrested in connection with the data theft. Bottle Domains maintains that it is compliant with the payment card industry data security standard (PCI DSS).
-http://www.thesheet.com/nl05_news_selected.php?act=2&stream=1&selkey=796
3&hlc=2&hlw=

ACTIVE EXPLOITS, WORMS & VIRUSES

Worm Infects Scottish Hospital Computers (March 9, 2009)

A computer worm infected computers at two Scottish hospitals last week. Laboratory computers at the Stobhill and Gartnavel General hospitals were infected, forcing a dozen patients at the Beatson West of Scotland Cancer Care Centre to reschedule their appointments. Computer systems at the hospitals were taken down for two days while technicians cleared up the infection. While it has not been definitively determined, a description of the infection at the Glasgow-area hospitals is consistent with the effects of the Conficker worm.
-http://www.theregister.co.uk/2009/03/09/scot_hostpitals_malware_infection/

Conficker Update Includes Vast Expansion of Phone Home Domains (March 7 & 9, 2009)

The Conficker worm has been updated; some infected computers are receiving new information that appears to try to protect the malware from efforts by researchers to stop its spread and effects. The update prevents antivirus and security analysis software from removing Conficker from the machines it has infected. The update also increases by a factor of 200 the number of domains the worm contacts daily; the researchers had been working to predict the domains infected machines would attempt to contact and control them to stymie Conficker's spread. Before the update, machines infected by Conficker contacted 250 domains each day; that number has increased to 50,000.
-http://www.theregister.co.uk/2009/03/07/conficker_upgrade/
-http://www.securityfocus.com/brief/923

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/